Join Log in
Score:2
avatar Server

QEMU/KVM guest VM cannot resolve DNS hostnames or SSH/ping from host

mx flag
Skatech

I have a QEMU/KVM-based virtual machine with CentosOS 6.4 that cannot fully connect to the Internet. I can ping IP addresses (ex. ping 8.8.8.8 works successfully), but domain names are not resolved (ex. ping google.com returns ping: unknown host google.com).

The guest has a static IP assigned to it, and I am using the default (NAT-based) network:

<network>
  <name>default</name>
  <uuid>8c257186-7af4-4e19-a086-27f50f692af6</uuid>
  <forward mode='nat'/>
  <bridge name='virbr0' stp='on' delay='0'/>
  <mac address='52:54:00:d6:62:2d'/>
  <ip address='192.168.122.1' netmask='255.255.255.0'>
    <dhcp>
      <range start='192.168.122.2' end='192.168.122.254'/>
    </dhcp>
  </ip>
</network>

/run/resolvconf/resolv.conf is not present on the VM; and neither of the resolvconf, nslookup, systemctl, host, hostnamectl, or nmcli programs are installed, so the ability to run network setting diagnostics is limited.

I’ve tried the following:

  • Editing /etc/sysconfig/network-scripts/ifcfg-eth0 by adding DNS1=8.8.8.8, DNS2=8.8.4.4 and PEERDNS=yes. After rebooting, this created /etc/resolv.conf, which was not originally present.
  • Replacing "hosts: files dns" with "hosts: files dns nisplus nis" in /etc/nsswitch.conf, then rebooting.
  • Following this guide to create a host-only network.
  • Following this guide to create a virtual bridge via qemu-bridge-helper.
  • (As an aside, I attempted to create a fileshare between the guest and host via this guide, but this requires 9p, a filesystem that CentOS 6 is apparently not compatible with.)

But with each attempt, the host still cannot SSH into/ping the guest, nor can the guest resolve domain names. Any help with accomplishing either of these two steps (the host can SSH into the guest; the guest is fully connected to the Internet) would be very much appreciated.

Here are some file contents/command line outputs that might be helpful. Happy to provide more information.

Contents of /etc/resolv.conf (Guest):

options edns0 trust-ad
; generated by /sbin/dhclient-script
nameserver 8.8.8.8
nameserver 8.8.4.4

Output of ip a (Guest):

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever


2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 52:54:00:7b:6c:27 brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.92/22 brd 192.168.123.255 scope global eth0
    inet6 fe80::5054fffe7b:6c27/64 scope link
       valid_lft forever preferred_lft forever

Output of ssh 192.168.122.92 (Host):

ssh: connect to host 192.168.122.92 port 22: Connection refused

Output of ping 192.168.122.92 (Host):

PING 192.168.122.92 (192.168.122.92) 56(84) bytes of data.
From 192.168.122.1 icmp_seq=1 Destination Port Unreachable
ping: sendmsg: Operation not permitted
From 192.168.122.1 icmp_seq=2 Destination Port Unreachable
ping: sendmsg: Operation not permitted
From 192.168.122.1 icmp_seq=3 Destination Port Unreachable
ping: sendmsg: Operation not permitted
From 192.168.122.1 icmp_seq=4 Destination Port Unreachable
ping: sendmsg: Operation not permitted
^C
--- 192.168.122.92 ping statistics ---
4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 3065ms

EDIT 1

Contents of /etc/sysconfig/network-scripts/ifcfg-eth0 (Guest):

DEVICE=eth0
HWADDR=52:54:00:7B:6C:27
TYPE=Ethernet
ONBOOT=yes
NM_CONTROLLED=no
BOOTPRONTO=none
IPADDR=192.168.122.92
NETMASK=255.255.252.0
GATEWAY=192.168.122.1
DNS1=8.8.8.8
DNS2=8.8.4.4
PEERDNS=yes

EDIT 2

Output of iptables-save (Host):

# Generated by iptables-save v1.8.4 on Mon Jan  3 22:03:26 2022
*mangle
:PREROUTING ACCEPT [86972:77359835]
:INPUT ACCEPT [86966:77359331]
:FORWARD ACCEPT [6:504]
:OUTPUT ACCEPT [87805:9060728]
:POSTROUTING ACCEPT [69226:7583136]
:LIBVIRT_PRT - [0:0]
-A POSTROUTING -j LIBVIRT_PRT
-A LIBVIRT_PRT -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Mon Jan  3 22:03:26 2022
# Generated by iptables-save v1.8.4 on Mon Jan  3 22:03:26 2022
*nat
:PREROUTING ACCEPT [4:1038]
:INPUT ACCEPT [3:954]
:OUTPUT ACCEPT [19614:1550200]
:POSTROUTING ACCEPT [1032:73142]
:LIBVIRT_PRT - [0:0]
-A POSTROUTING -j LIBVIRT_PRT
-A LIBVIRT_PRT -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A LIBVIRT_PRT -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
COMMIT
# Completed on Mon Jan  3 22:03:26 2022
# Generated by iptables-save v1.8.4 on Mon Jan  3 22:03:26 2022
*filter
:INPUT ACCEPT [86966:77359331]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [69220:7582632]
:LIBVIRT_FWI - [0:0]
:LIBVIRT_FWO - [0:0]
:LIBVIRT_FWX - [0:0]
:LIBVIRT_INP - [0:0]
:LIBVIRT_OUT - [0:0]
-A INPUT -j LIBVIRT_INP
-A FORWARD -j LIBVIRT_FWX
-A FORWARD -j LIBVIRT_FWI
-A FORWARD -j LIBVIRT_FWO
-A OUTPUT -j LIBVIRT_OUT
-A LIBVIRT_FWI -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWO -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 68 -j ACCEPT
COMMIT
# Completed on Mon Jan  3 22:03:26 2022

EDIT 3

Output of sudo iptables-save (Guest):

# Generated by iptables-save v1.4.7 on Thu Jan 6 05:53:35 2022
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
COMMIT
# Completed on Thu Jan 6 05:53:35 2022
706
0 + 0
ssh
another victim of the mouse avatar
cf flag
another victim of the mouse
> inet 192.168.122.92/**22** brd 192.168.123.255 scope global eth0 Looks fishy to me. Can we see `cat /etc/sysconfig/network-scripts/ifcfg-eth0` ? It looks like you have an incorrect net mask on your guest. > NETMASK=255.255.252.0
0
Reply
another victim of the mouse avatar
cf flag
another victim of the mouse
> inet 192.168.122.92/**22** brd 192.168.123.255 scope global eth0 Looks fishy to me. Can we see `cat /etc/sysconfig/network-scripts/ifcfg-eth0` ?
0
Reply
mx flag
Skatech
Thanks @Jacobyoby . I added more info above.
0
Reply
another victim of the mouse avatar
cf flag
another victim of the mouse
your net masks do not match. Is this intentional?
0
Reply
mx flag
Skatech
It's not intentional. I've set `NETMASK=255.255.255.0` in `/etc/sysconfig/network-scripts/ifcfg-eth0` to match with the virtual network. I now get `inet 192.168.122.92/24 brd 192.168.122.255 scope global eth0` under `eth0` in `ip a` in the guest. But DNS still does not resolve domain names, and the guest IP cannot be reached via SSH/ping in the host.
0
Reply
another victim of the mouse avatar
cf flag
another victim of the mouse
did you disable firewalld for testing?
0
Reply
mx flag
Skatech
@Jacobyoby @AlexD Not firewalld, but it's likely due to these two rules in `iptables`: `-A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable` and `-A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable` (more details above). However, I (temporarily) removed them, rebooted the guest VM, and still get the same errors.
0
Reply
another victim of the mouse avatar
cf flag
another victim of the mouse
please add a rule to allow inbound SSH on port 22 to iptables.
0
Reply
mx flag
Skatech
I added two new rules to iptables in the guest: `sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT` and `sudo iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT`. I also added `sudo iptables -A OUTPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT` and `sudo iptables -A INPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT` to the host. However, I'm getting the same errors. Am I missing anything?
0
Reply
another victim of the mouse avatar
cf flag
another victim of the mouse
can you disable iptables for testing?
0
Reply
Score:1
avatar Server
jp flag
AlexD

The following error messages from ping indicate that the communication is blocked by a firewall.

Destination Port Unreachable
ping: sendmsg: Operation not permitted
0 + 0
mx flag
Skatech
It turns out that the VPN was the issue. Either turning off the VPN, or allowing local network sharing within the VPN, fixed the issue. I'm now able to ping/SSH into the guest VM successfully. Thank you, everyone!
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.